What to expect, what to do after a card data breach

Data hackers have been busy, doing what they do best: breaching databases and making a mess you'll have to clean up.

Since
the summer of 2012, Barnes & Noble, the South Carolina Department of Revenue and
GoTickets.com are just a few of the organizations reporting that data hackers have caused data breaches, potentially
putting customers' debit or credit card information at risk, and opening
them up to the risk of full-fledged identity theft.

So
far this year, the Privacy Rights Clearinghouse has received reports of more
than 200 data breaches involving payment card fraud or hacking, exposing more
than 12 million consumer records.

In some instances, the hackers seemed most
interested in the thrill of hacking into a system and exposing its
vulnerabilities, but in more worrisome cases, Social Security numbers and
debit and credit card information were exposed.

"Anybody
paying attention to the news lately regularly sees reports of major data
breaches," says John Breyault, vice president of public policy,
telecommunications and fraud at the National Consumers League.

If your information was stolen, "your vulnerability varies based on how
severe the data breach was," Breyault says.

While there's little a consumer can do before a data breach, here's what you can expect if one happens, and the steps you can take to minimize the hassle and maximize your protection.

How you'll find outThe first and most crucial step is to notice that a breach has happened and assess your risk. That's not always easy. No federal law requires you be notified of security
breaches involving your personal information.

State
notification laws tend to follow a similar pattern, says Sam Imandoust, legal
analyst for the Identity Theft Resource Center. If a certain number of people
have been impacted by a data breach, the law will require the company or
organization to send a letter to everyone who may have been impacted.

In
most cases, the letter doesn't need to go out within a set time frame, but as
"expediently as possible," Imandoust says. Delays are allowed if law
enforcement officials are investigating the breach, and public notification might
impact their investigation.

The
letters typically will contain information on the type of personal information
thought to be part of the breach, a description of what occurred, when it
occurred, and contact information for credit bureaus, Imandoust says. Because it's left to the companies to craft the language, in practice, some letters are more forthcoming and clear than others.

What
your bank knows
Surprisingly, if you've been notified of a credit or debit card data
breach, it doesn't mean your bank has been.

The
company that suffered the breach may not be the bank itself, but some third party with its hands in the transaction process. The company that suffered the breach must notify the consumer, as well as bank card
associations -- such as Visa and MasterCard -- which then notify their member
banks, says Tom Shaw, vice president of financial crimes management at USAA.

In
cases such as the Barnes & Noble data breach, in which credit and debit
card information was stolen from PIN pad devices at 63 stores, the incident was
kept from the public while the FBI conducted an investigation. USAA knew about
the case before the victims did.

But
there's always a chance something can fall between the cracks. Once you learn
you've been the victim of a data breach, Katie Ross, education and development
manager for American Consumer Credit Counseling (ACCC), recommends contacting your
bank or credit card company directly to report the breach and make sure there's
been no suspicious activity on your account.

What happens next
A
data breach doesn't necessarily mean your financial institution will issue you
a new credit or debit card, USAA's Shaw says.

Your
issuer will look at the type of information that bad guys have in their hands, how often fraud has occurred with other cards that have been part of the
same data breach, and then calculate the chances your card could be
compromised, he says.

In
some instances, "rather than having the customer go through the pain of getting
a new card and setting up new recurring payments, we'll monitor it," Shaw says.
But if you report fraudulent activity on your account, it will immediately be
deactivated.

If
there hasn't been fraud, but USAA thinks it might occur, USAA will issue you a
new card but your current card will remain active for the short term.

At
Wells Fargo, the bank will telephone you if there's a chance your current card
is at risk for unauthorized transactions, says spokeswoman Natalie Brown.

During
the call, the Wells Fargo representative will tell you a new card is en route
and when your existing card will be deactivated, Brown says. The time frame for
deactivation can vary from case to case.

When the new card arrives
When
you receive a new card, you should follow the steps the bank requires to
activate it. Usually that involves calling a toll-free number from your home
phone or activating it online.

They
just want your credit card number. They are agnostic as to whose name
is embedded in the magnetic stripe.

-- Tom Shaw
Vice president, financial crimes management, USAA

While
some banks may allow you to make small purchases without activating your card, others,
such as USAA, say it's not possible to use one of their cards unless it's been
activated.

After
you've activated your new card, be sure to contact all the companies that
automatically bill to your credit card, like your cellphone
company, Internet service provider and utility company, and give them your new
card number, Wells Fargo's Brown says. Otherwise you run the risk of your transactions not
going through.

With
your new card, you also might want to set up a "verbal" password on your card to
help verify your identity, says Ross of the ACCC. A verbal password is one that must be spoken before you or anyone else can access your banking information by phone.

Then
you need to make sure you destroy your old card properly. Taking a pair of
scissors to your credit card won't do the trick. Ross, who conducts identity
theft prevention classes, says it's crucial to use a cross-cut shredder.
Otherwise your trash can provide a bonanza for Dumpster divers.

What defenses do you needYour
work still isn't done. Contact one the three main credit bureaus -- Experian,
Equifax and TransUnion -- and have an initial fraud alert placed on your credit
report. The bureau you contact is required to notify the other two.

The
fraud alert will remain on your reports for 90 days, and you're entitled to one
free credit report from each agency. Check them diligently for errors, Breyault
says.

In
many cases, having your credit or debit card information stolen won't develop
into a full-fledged identity theft case, Shaw says. In these cases, the thieves simply want to run up as many purchases as they can.

"They
just want your credit card number," he says. "They are agnostic as to whose name
is embedded in the magnetic stripe."

To
be safe, place a security freeze on your credit report, locking out anyone who
tries to get new credit in your name. The only ones who can view your report
are lenders with whom you do business, Breyault says. You can opt to have the
freeze lifted temporarily or permanently.

Another
safeguard is to sign up for free alerts if there is suspicious activity on your
debit or credit card, he says.

If
you've been the victim of a data breach, the organization that has been hit is
likely to offer you free credit monitoring service for a set period of time,
Breyault says. Once that period expires, you'll have to pay for the service.

He
frowns on paying for a third party to monitor your credit report. "They're
often incomplete and have a lag time in data. They're not the same ones the
lenders see. It's really not worth the money to get them."

Instead,
he recommends, "be aggressive in getting your credit reports and checking them
repeatedly for errors."

We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, do not disclose confidential or personal information such as bank account numbers or social security numbers. Anything you post may be disclosed, published, transmitted or reused.

If you are commenting using a Facebook account, your profile information may be displayed with your comment depending on your privacy settings. By leaving the 'Post to Facebook' box selected, your comment will be published to your Facebook profile in addition to the space below.

The editorial content on CreditCards.com is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company's business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.

Credit freezes are now free ? but do you need one? – Credit freezes, which keep lenders and other companies from viewing your credit, are now free. We compared them to other credit protection tools, including locks and monitoring services. Here's how to use them all to protect yourself ...

See the online credit card applications for details about the terms and conditions of an offer. Reasonable efforts are made
to maintain accurate information. However, all credit card information is presented without warranty. When you click on
the "Apply Now" button, you can review the credit card terms and conditions on the issuer's web site.

Related Sites

ADVERTISER DISCLOSURE CreditCards.com is an independent, advertising-supported comparison service. The offers that appear
on this site are from companies from which CreditCards.com receives compensation. This compensation may impact how
and where products appear on this site, including, for example, the order in which they appear within listing categories.
Other factors, such as our proprietary website's rules and the likelihood of applicants' credit approval also impact
how and where products appear on the site. CreditCards.com does not include the entire universe of available financial
or credit offers.

Advertiser Disclosure

CreditCards.com is an independent, advertising-supported comparison service. The offers that appear on this site are from companies from which CreditCards.com receives compensation. This compensation may impact how and where products appear on this site, including, for example, the order in which they may appear within listing categories. Other factors, such as our own proprietary website rules and the likelihood of applicants' credit approval also impact how and where products appear on this site. CreditCards.com does not include the entire universe of available financial or credit offers.